From 432e7023b17a907b3381545b6dc8d4837ee00d62 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 11 Apr 2019 18:56:18 +0100 Subject: [PATCH] Add additional sanity checks to check_config.h Additional sanity checks in check_config.h to ensure: * if test certificates are included (MBEDTLS_CERTS_C) there must be also be support for the core X509 feature (MBEDTLS_X509_USE_C). This has a secondary dependency on the public key abstraction layer (MBEDTLS_PK_C), necessary as the certificates will either be signed by RSA or ECDSA, and therefore need to be part of the library. * if any of the TLS protocols are defined (MBEDTLS_SSL_PROTO_xxx) then a key exchange method must also be defined (MBEDTLS_KEY_EXCHANGE_xxx). Anyone who knows the library will probably not make these mistakes or will quickly diagnose and fix them, but it is possible to compile and link both configurations if you build only the library and not the example programs, and therefore users may not realise immediately that there's a mistake, only discovering it at runtime. These checks may therefore save someone some time. Signed-off-by: Simon Butcher --- include/mbedtls/check_config.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index d904d5a7a..fa3caa7c4 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -619,6 +619,23 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif +#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ + !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ) +#error "One or more versions of the TLS protocol are enabled " \ + "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) @@ -763,6 +780,10 @@ #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C) +#error "MBEDTLS_CERTS_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) ) #error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites" #endif